Last month was the twelve year anniversary of my becoming a commercial Maltego user. I just looked at there are 2,195 unique file names for those 241 months, so I average nine graphs a month. Here’s a peek into that world from last October. Someone had asked about the SoCal Armenians Extremists. I think I saw Neville Roy Singham mentioned in a New York Times article. The CHS here means Confidential Human Source and those files were prep for Don’t Do The Crime. And I was just starting to ponder what Charles Johnson was doing, but I dismissed this low budget “strange attractor” in Julian Assange Flipping?
And much like the material that led to MIOS: Iran’s PressTV, someone asked about Hamas, and I took a look around …
Attention Conservation Notice:
Yahya Sinwar is a war criminal. So is Benjamin Netanyahu. I’ve been concerned about food and water security in the region for a long time, Why Gaza Is Screwed dates back to late 2012.
On behalf of the music festival attendees slaughtered by Hamas, the hostages and their families, tens of thousands of innocent civilians who’ve died in Gaza, our Iranian friends who have been trying to change their government since in 2009, and the 75% of Israelis who are just finished with Bibi’s bullshit, let justice be done upon anyone who, through either action or inaction, has played a part in causing this suffering.
If that didn’t make you ball up your lil’ fists in impotent rage, feel free to continue …
RiskIQ Recon:
RiskIQ sold to Microsoft and their Defender Threat Intelligence is a pale shadow of the original tool. I properly skewered them for this in Using BuiltWith And Threat Intel On A Domain, which is part of the Tool Time With IIB series. I jealously guard my old school RiskIQ researcher account, and I put it work on those Hamas domains. Like Semrush, it’s an eye in the sky, but the focus is on domains and related digital ephemera.
Achtung! If you are new to this, understand that the free sample RiskIQ and other tools are NOT sufficient to do this job properly. Many of them limit you to a small number of responses. There are a couple of clowns floating around Space Karen’s cybercesspool who put out enormous conspiratorial “studies” using the 15 artifact limit, and it’s really sad because they’re often misconstruing results from Cloudflare IPs that have 1,500+ domains on them.
That being said, here’s what I accumulated for Hamas infrastructure.
474 RiskIQ artifacts related to 2023-10-24 Hamas analysis
I’ll save you the manual search, there are eleven emails in there.
Most of those are self hosted within Hamas, or their role accounts belonging to vendors. The gmail is a role account for Hamas, but this poor fellow with the MSN address really goofed getting himself entangled with Hamas domains.
I’ve redacted the name and phone number, and that Postal Code makes me wonder if this is a persona, rather than a person, but claiming residence in a NATO member country is … interesting. Maybe a reporter should dig deeper into this.
Infrastructure & Martech:
Free tools are both limited in response volume, and they also typically don’t do a good job with time data. BuiltWith is a nice exception to that. There’s nothing special about qassam.ps, it’s just the first thing I saw to use as an example. Sorry for the microscopic text, if you zoom in you’ll see paltimes[.]net and paltimes[.]ps sharing a Google Analytics code with qassam[.]ps. Perhaps it’s attached to the ahmed.qassam@gmail.com address, but I don’t know a way to verify that from the outside.
So there are clues here - often one domain under scrutiny will get moved to a CDN like Cloudflare or DDoS Guard, but the historic IP will continue to host softer targets. It’s sometimes possible to completely jump the CDN by creating a static entry for domain aimed at the old IP, completely circumventing the protection the operator thinks they have.
If we start following the paltimes[.]ps trail of breadcrumbs …
If someone were really curious about this, they could go through these things item by item, taking screen shots of domain registrations and such, and pretty soon there’d be a map of Hamas support that isn’t obvious. Since I’m just an “activist disinformation researcher”, according to the Washington Post, I better leave the decision making on this part to proper reporters.
Conclusion:
This quarter’s Malign Influence Operations Safari has taken a dramatic turn thanks to Joe Menn. I have long labored in obscurity, making Maltego graphs of things that catch my eye, capturing digital ephemera from interesting events using Hunchly, and I used to have a Twitter streaming platform. There’s a Figshare archive of the Capitol Siege Information Operation, some 220 million tweets and user profiles involved in the events from the July 2019 White House Media Summit through the January 6th attack. When I look at it I think I see continuity of purpose there, but like so much of my work, it’s never received a proper inspection and reporting.
All else being equal, tearing a chunk out of Hamas would bring us one step closer to safety for the people of Gaza, freedom for the people of Iran and Israel, as well as an overdue hot date with the ICC for Bibi. I would be happy to share my files and spend some time with a proper reporter in order to see this through.